iSeal: Encrypted Fingerprinting for Reliable LLM Ownership Verification

TL;DR

iSeal introduces a robust fingerprinting method for LLMs that remains effective even when attackers control the inference process, ensuring reliable ownership verification against sophisticated attacks.

Contribution

It is the first fingerprinting approach resilient to verification-time attacks, combining model and external features with error correction and similarity verification.

Findings

Achieves 100% FSR on 12 LLMs against 10+ attacks.

Outperforms baselines under unlearning and response manipulation.

Resistant to collusion-based fingerprint unlearning.

Abstract

Given the high cost of large language model (LLM) training from scratch, safeguarding LLM intellectual property (IP) has become increasingly crucial. As the standard paradigm for IP ownership verification, LLM fingerprinting thus plays a vital role in addressing this challenge. Existing LLM fingerprinting methods verify ownership by extracting or injecting model-specific features. However, they overlook potential attacks during the verification process, leaving them ineffective when the model thief fully controls the LLM's inference process. In such settings, attackers may share prompt-response pairs to enable fingerprint unlearning or manipulate outputs to evade exact-match verification. We propose iSeal, the first fingerprinting method designed for reliable verification when the model thief controls the suspected LLM in an end-to-end manner. It injects unique features into both the model and an external module, reinforced by an error-correction mechanism and a similarity-based verification strategy. These components are resistant to verification-time attacks, including collusion-based fingerprint unlearning and response manipulation, backed by both theoretical analysis and empirical results. iSeal achieves 100 percent Fingerprint Success Rate (FSR) on 12 LLMs against more than 10 attacks, while baselines fail under unlearning and response manipulations.